Channels

Services

Study: Chrome the most secure browser

Only 13% of malicious URLs were filtered out by the browsers
Source: Accuvant Labs

Security research firm Accuvant has published a new study, commissioned by Google, that investigated and compared the security mechanisms of popular web browsers. The study concludes that Chrome offers more protection than Internet Explorer and Firefox. Internet Explorer 9 came out ahead of its open source competitor Firefox. However, the researchers weren't convinced by any of the browsers' URL filters which attempt to prevent users from accessing malicious pages.

In 102 pages, the experts describe and compare in detail how individual browsers implement popular protective mechanisms, including Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). They also pay special attention to sandboxing and the hardening of integrated Just-In-Time (JIT) compilers. All of these mechanisms are intended to hamper the exploitation of existing flaws.

The integrated sandbox in Google's Chrome browser scored particularly well. It is designed to protect the system against potentially malicious accesses, for example via malicious content or a rogue plug-in. The study concludes that Google Chrome offers quite a convincing concept while Microsoft's "Integrity Level" implementation appears to be rather patchy. Firefox, on the other hand, has offered virtually no such functionality so far.

All three browsers produced disappointing results when trying to filter URLs that contain malware even before accessing them. Both Microsoft's URL Reporting Service and Google's Safe Browsing Lists, which are used by Firefox and Chrome, only detected a meager 13 per cent of the more than 3,000 malicious URLs.

While large parts of the security community will agree with the study's general conclusions, the results should be treated with some caution. Although Accuvant Labs assures readers that its assignment was to conduct an objective comparison, the study was still commissioned by Google, who will probably not have financed the work entirely without ulterior motives. In any case, the study does provide a good introduction to state-of-the-art browser security.